Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/18/2016
08:15 AM
Todd Thibodeaux
Todd Thibodeaux
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Beyond Data: Why CISOs Must Pay Attention To Physical Security

Information security professionals are missing the big picture if they think of vulnerabilities and threats only in terms of data protection, password hygiene and encryption.

Battered by a nearly constant onslaught of attacks and revelations of security breaches, IT businesses and departments have doubled down on securing their organizations’ data. Better password hygiene, data access restrictions and encryption are all fundamental to preventing a data breach. However, physical security is often overlooked.

As InfoSec defends their organizations from attackers whose motivations run the gamut from quick financial gain to disgruntled employees and customers, it’s imperative for IT departments to take a comprehensive approach to securing their organizations.

Overcoming “not my job” syndrome
IT and InfoSec tend to think in terms of networks, endpoints and outside attacks, but they risk missing the big picture if they think of vulnerabilities and threats only in terms of wider internet threats. IT departments often consider the security of a physical building as a separate domain, but it is becoming increasingly difficult to delineate physical security from data security.

Technology professionals needs to get back to basics. While it’s important to focus on vulnerability mitigation, the Open Systems Interconnection (OSI) model begins with the physical layer. Security must be considered at every step, even when no networked communication is taking place.

This means not only making sure the cabling, power supply and other infrastructure are in place, but also addressing unlocked server rooms, loosely managed inventory and environmental hazards. It can be easy for IT professionals to dismiss physical security as another department’s purview, but only IT has the expertise necessary to identify and assess these sources of risk.

Merging physical and data security
The IT implications of poor physical security practices can be dire – as aptly demonstrated by the late 2014 attack on Sony. In fact, a statement attributed to one of the attackers in various news reports went as far as to claim, “Sony doesn't lock their doors, physically, so we worked with other staff with similar interests to get in.” Even barring the potential for internal sabotage, it can be extraordinarily difficult for organizations to re-secure their environment once a physical security breach occurs.

Thankfully, IT departments have a variety of tools at their disposal to address both physical and data security. Disk encryption, already widely used in the business world, can be extended to provide greater physical security through the use of a trusted platform module (TPM). Combined with trusted network configurations, IT departments can ensure that data is inaccessible to unauthorized parties, even if a workstation or server is physically compromised.

Additional measures, like keeping server room doors locked, creating and enforcing ID policies, or installing mantraps can dramatically reduce the consequences physical security threats pose. Other software-based approaches, like implementing a mobile device management (MDM) solution, enabling geolocation and disabling unnecessary physical ports on workstations can prevent many common attacks without creating an undue burden on end users. By taking simple steps to reduce physical security loopholes, IT professionals can narrow and better manage their vulnerabilities.

A holistic approach to security
Whether through phishing, impersonation, tailgating or more “traditional” network-based attacks, organizations and their data face a number of serious threats. IT professionals must take a more comprehensive view of their organization’s security landscape, accounting for all potential weaknesses, not just software vulnerabilities. It’s imperative to close off obvious avenues of attack by using security controls already in place – almost every organization has at least some policies around locking doors and verifying employee identities – but many businesses don’t see the importance of these procedures and enforcement tends to be lax.

Despite a rapidly evolving cybersecurity landscape, malicious actors possess only a limited number of physical entry points, and IT departments must ensure reasonable precautions are taken to deny unauthorized access. Organizations should establish multiple lines of physical defense (mirroring best practices for data security), placing several obstacles in the path of an intruder. By unifying both physical and data security, IT departments are better equipped to defend against the multi-front attacks that threaten organizations today.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to rBegister.

Related Content:

 

Todd Thibodeaux is the president and chief executive officer of the Computing Technology Industry Association, the leading trade association representing the business interests of the global information technology industry. He is responsible for leading strategy, development ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Gary Scott
50%
50%
Gary Scott,
User Rank: Strategist
7/20/2016 | 7:19:02 PM
Physical Security and Decommissioning
CISOs should review their refresh and decommissioning processes for physical security threats.  We often see unsecured servers, storage units and loose hard drives when starting hard drive destruction projects.  

The equipment usually is found in the company's warehouse facilities attended by warehouse personnel (which probably dont have authorized access to the information).     

E-Waste Security provides onsite hard drive shredding services.

 
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21275
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
CVE-2021-21272
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting